March 6, 2024 at 07:15AM
Hackers are using new Golang-based malware to target misconfigured servers running Apache Hadoop YARN, Docker, Confluence, or Redis. The campaign exploits configuration weaknesses and an old vulnerability in Atlassian Confluence. Researchers at Cado Security identified the attack, which involves novel Golang payloads and common Linux attack techniques to install a cryptocurrency miner and establish persistence.
Based on the meeting notes, there are several key takeaways:
– Hackers are targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, or Redis with new Golang-based malware.
– The campaign takes advantage of configuration weaknesses and exploits an old vulnerability in Atlassian Confluence to execute code on the machine.
– The intrusion set is similar to previously reported cloud attacks attributed to threat actors like TeamTNT, WatchDog, and Kiss-a-Dog.
– The attackers rely on multiple shell scripts and common Linux attack techniques to install a cryptocurrency miner, establish persistence, and set up a reverse shell.
– The campaign deploys a set of four novel Golang payloads to identify and exploit hosts running specific services.
– These Golang tools scan a network segment for specific open ports, default ones for the targets of this campaign.
– The attackers have used a larger shell script to further their compromise, prevent forensic activity on the host, and fetch additional payloads.
– While some of the payloads are widely flagged as malicious by antivirus engines, the four Golang binaries for discovering target services are virtually undetected.
– Cado Security has conducted a technical analysis for all the payloads discovered in the campaign and shared the associated indicators of compromise.
These takeaways summarize the key points from the meeting notes and provide a clear understanding of the current security situation.